CVE-2025-24788 MEDIUM

CVE-2025-24788: Snowflake Connector for .NET has weak temporary files permissions

Vendor Snowflakedb
Product snowflake-connector-net
Weakness CWE-276
Published January 29, 2025
Last update January 31, 2025

CVSS base score

5.0/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

snowflake-connector-net is the Snowflake Connector for .NET. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are temporarily placed in a world-readable local directory, making them accessible to unauthorized users on the same machine. This vulnerability affects versions 2.0.12 through 4.2.0 on Linux and macOS. Snowflake fixed the issue in version 4.3.0.

Key dates

02Disclosure timeline

January 29, 2025 CVE published
January 31, 2025 Record updated